Hi all,

I can only send mail but cannot receive mail when I enabled the firewall. If I disable the firewall, I can send and receive mail.
The mail server and the firewall are on the same machine.

Any problem with the rules?


The script for the firewall is as follows:

#!/bin/bash

############
# VAIABLES #
############

# UPLINK - interface connect to the internet
UPLINK="eth1"

INTERNALNET="10.0.0/16"

# all network interfaces
INTERFACES="lo eth0 eth1"

# Flood variables

# Overall limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"

# Overall limit for logging in logging-chain
LOGLIMIT="2/s"
# Burst limit for logging in logging-chain
LOGLIMITBURST="10"

# Overall limit for Ping-flood-detection
PINGLIMIT="5/s"
PINGLIMITBURST="10"


case "$1" in
stop)
echo "Shutting down firewall..."
# clear and reset all chains
iptables -F
iptables -F -t mangle
iptables -F -t nat
iptables -X
iptables -X -t mangle
iptables -X -t nat

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# turn off NAT/masqerading, if any
iptables -t nat -F POSTROUTING

echo "...done"
;;
status)
echo "The status comand is not supported for iptables"
;;
restart|reload)
$0 stop
$0 start
;;
start)

echo "Starting firewall..."
# flush everything
iptables -F
iptables -F -t mangle
iptables -F -t nat
iptables -X
iptables -X -t mangle

iptables -X -t nat

# set the default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


##################################################
# set network sysct1 options which affect tcp/ip #
##################################################

# enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

# disable IP spooling attacks, dropped spooled packets from all interfaces
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

# don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# block all source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

# reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog

# explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi


###############
# INPUT_CHAIN #
###############


# kill invalid packets (illegal combinations of flag)
iptables -A INPUT -j DROP -m state --state INVALID

# allow all connections on the internal interfaces
iptables -A INPUT -j ACCEPT -i ! ${UPLINK}

# block all connections except initiated from the protected network
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -m state --state NEW -i ! ${UPLINK}


# kill all connection to the local interface from the outside world
#iptables -A INPUT -j REJECT -d 127.0.0.0/8


# Ping flood protection
iptables -A INPUT -j ACCEPT -p icmp --icmp-type echo-request -m \
limit --limit 1/s

iptables -A INPUT -j DROP -p icmp --icmp-type echo-request

# Allow all other icmp
iptables -A INPUT -j ACCEPT -p icmp


############################################
# ENABLE PUBLIC ACCESS TO CERTAIN SERVICE ##
############################################

## named queries
iptables -A INPUT -j ACCEPT -p udp --dport domain
iptables -A INPUT -j ACCEPT -p udp --sport domain
iptables -A INPUT -j ACCEPT -p tcp --dport domain
iptables -A INPUT -j ACCEPT -p tcp --sport domain

# http
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --sport 80

# mail - only allow to send mail from internal network
iptables -A INPUT -j ACCEPT -p tcp -i eth0 --sport mail


# mail rules for popping mail from outside world pop-3
iptables -A INPUT -p tcp --dport 110 -j ACCEPT


# allow ssh
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p tcp --sport 22


# mysql
iptables -A INPUT -j ACCEPT -p tcp --dport 3306
iptables -A INPUT -j ACCEPT -p tcp --sport 3306


################
# OUTPUT-CHAIN #
################

# allow packets to go outside
iptables -A OUTPUT -j ACCEPT


###########
# LOGGING #
###########


# catch all the rules
iptables -A INPUT -p tcp -m limit --limit ${LOGLIMIT} --limit-burst ${LOGLIMITBURST} \
-j LOG --log-prefix "TCP packets: "

iptables -A INPUT -p udp -m limit --limit ${LOGLIMIT} --limit-burst ${LOGLIMITBURST} \
-j LOG --log-prefix "UDP packets: "

iptables -A INPUT -p icmp -m limit --limit ${LOGLIMIT} --limit-burst ${LOGLIMITBURST} \
-j LOG --log-prefix "ICMP packets: "


# Logging for connection requests only
iptables -A INPUT -p tcp --syn -m limit --limit 5/minute \
-j LOG --log-prefix "Firewall packet:"


iptables -A FORWARD -m limit --limit 3/min \
-j LOG --log-prefix "Forwarded: " --log-level info


iptables -A INPUT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST \
-j LOG --log-prefix "fp=INVALID:1 a=DROP "


echo "...done"
;;
*)
echo "Usage: firewall (start|stop|restart)"
esac

SMTP runs on port 35 you will needto add a rule to allow that as you have done for ssh and http.

I can send mail but I cannot receive mail.

Yes but if you don't let other servers access port 25 on your machine they will be unable to deliver.

Thanks, It is working now.